From c0df580adbd4d555ecc1962dbe88e91d75b67a4e Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 19 Mar 2025 13:17:08 +0100
Subject: [PATCH] attr.c: fix nla_reserve size check

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 attr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/attr.c b/attr.c
index 2c1d354..d251c25 100644
--- a/attr.c
+++ b/attr.c
@@ -618,11 +618,11 @@ struct nlattr *nla_find(struct nlattr *head, int len, int attrtype)
 struct nlattr *nla_reserve(struct nl_msg *msg, int attrtype, int attrlen)
 {
 	struct nlattr *nla;
-	int tlen;
-	
+	size_t tlen;
+
 	tlen = NLMSG_ALIGN(msg->nm_nlh->nlmsg_len) + nla_total_size(attrlen);
 
-	if ((tlen + msg->nm_nlh->nlmsg_len) > msg->nm_size)
+	if (tlen > msg->nm_size || tlen > UINT32_MAX)
 		return NULL;
 
 	nla = (struct nlattr *) nlmsg_tail(msg->nm_nlh);
-- 
2.30.2